VUPEN sells Windows 8 zero-day vulnerability code

VUPEN claims to have successfully thwarted all new attack mitigation systems in Internet Explorer 10 and Windows 8 - and is selling the code to the highest bidder.

Security specialist VUPEN claims to have developed a zero-day exploit for Microsoft's latest Windows 8 operating system, and is willing to sell the code to the highest bidder.

Based in France, VUPEN makes its money by developing zero-day exploit code which attacks systems through vulnerabilities not yet publicly known. Zero-day exploits are the holy grail for crackers: if nobody knows about the exploit, nobody can protect against it. As the exploit is used in the wild, it gradually comes to peoples' attention and will eventually be patched - but there is a gap, sometimes days, sometimes years, between a zero-day exploit being developed and the company responsible starting work on a patch for the flaw.

With Windows 8, Microsoft claims to have improved the security within the operating system. In particular, Internet Explorer 10 has been hardened in a variety of ways to close off what is a common attack surface on desktop and laptop machines.

VUPEN claims that Microsoft has messed up somewhere along the way, however. Combining various existing zero-day attacks from its database, the company claims to have developed code to - in the words of the company's chief executive officer Chauoki Bekrar - 'pwn all new Win8/IE10 exploit mitigations' and allow remote code to be executed on a machine.

The news could be disastrous for Microsoft, which declared that it had sold over four million copies of Windows 8 in the three days following its launch last week. If those systems are now vulnerable to attack, the company needs to get working on a fix and fast - but VUPEN isn't going to help.

Unlike most security firms, which practice 'responsible disclosure' and allow the company responsible for a product to fix the flaw before making details of the exploit public, VUPEN has already begun selling the exploit code to its customers. With zero-day attacks often fetching tens of thousands of pounds from interested parties - often governments looking for a leg-up for their information warfare and signals intelligence divisions - VUPEN isn't likely to want Microsoft to find and fix the flaw just yet.

Naturally, VUPEN's claims have not gone unnoticed. Microsoft itself has been unable to confirm or deny the existence of the vulnerability in Windows 8, stating only that details of the flaw have not been shared with its Coordinated Vulnerability Disclosure team.

sounds like they are waiting for Microsoft to pay them for the disclosure,lol, based on what they do, VUPEN looks like a prosecution lawyer :D , on the other hand since its win8+ie10 (which recently was always the case), then a simple (as always) do not use IE10 is the temporary solution

since code is written by humans, and windows 8 was probably worked on by hundreds if not thousands off peeps there will always be flaws, I think VUPEN should be held accountable for not disclosing responsibly to Microsoft the flaws they have found

Anyone else think Microsoft would benefit from just buying companies like VUPEN? If they are so good at finding exploits, just buy them and then step back and let them keep doing the dirty work they already do. Accept now its a benefit not a threat.

Maybe I'm missing the point but it would certainly make sense to me. Its like goverments hiring hackers... If you already know they are good at it, why don't you just make it more beneficial for them to work for you than against you?

People like this should be able to get prosecuted. If the exploit affects even a small percentage of win 8, it could be a disaister. Sure microsoft should pay them for it but they should be prevented from selling it to anyone else. Microsoft get screwed over enough as it is.

@rollo its not simple as that though,Testing doesn't reveal every flaw a code and given the constrains the coders are given even if they found this specific flaw they may likely not embed the fix into the build in time.

VUPEN is in France so should not be to hard for MS to do something to them as they are for the most part selling ways to bypass security in windows is illegal as they are contributing to users losing money when one of these 0day stuff happens

Originally Posted by Kacela/me applauds the proper use of "cracker." :) The difference is intent.

Actually the difference between hacking and cracking isnt intent.. its hacking = re-writing someones code to do what you want it to (Aka I hacked that code the other night) . Cracking is what is traditionally though of as hacking aka gaining access to something or to crack into a database..

Originally Posted by Kacela/me applauds the proper use of "cracker." :) The difference is intent.

Actually the difference between hacking and cracking isnt intent.. its hacking = re-writing someones code to do what you want it to (Aka I hacked that code the other night) . Cracking is what is traditionally though of as hacking aka gaining access to something or to crack into a database..

Indeed, in fact "hacking" needn't even refer to someone else's code - it can mean writing ("hacking together") code or hardware to make it do things beyond its designers' intentions.

Originally Posted by lacunaI'm surprised people like this aren't made to 'disappear' by MS

Quote:

Originally Posted by sixfootsideburnsAnyone else think Microsoft would benefit from just buying companies like VUPEN? If they are so good at finding exploits, just buy them and then step back and let them keep doing the dirty work they already do. Accept now its a benefit not a threat.

Originally Posted by sub routineif they sold it to anyone other than micrsoft then surely they would open themselves upto and accessory as by definition this is "malitious" code

There are so many grammatical and spelling errors in this I can't even work out what you're trying to say. Please make at least a token effort to be clear in your posts. What I *think* you're saying is that, by selling their exploit to third parties, VUPEN would be committing a criminal offence. I'm sure they have thought that through. First, it depends on French law (VUPEN being incorporated there), with which I am unfamiliar but I am sure it is less protectionist on these things than US law, and/or the laws of whichever frontier jurisdiction VUPEN chooses to use to do its business (Panama, for example, has very lax restrictions on such things).

Secondly, "accessory" to what? In order to be an accessory, you must knowingly (or at least negligently) have facilitated the perpetration of a crime. The act of executing remote code, in and of itself, is unlikely to be a criminal offence, unless it is for a nefarious purpose. Admittedly it is difficult to come up with legitimate reasons to want to do that, but the point stands.

Thirdly, in order to be prosecuted for a criminal offence, you first have to be CAUGHT. I'm assuming any deals done by VUPEN will be kept very quiet - they may be publicising the fact that they have devised an exploit, but the average customer for such things is unlikely to want his purchase to be publicised.

Originally Posted by fdbh96People like this should be able to get prosecuted. If the exploit affects even a small percentage of win 8, it could be a disaster. Sure Microsoft should pay them for it but they should be prevented from selling it to anyone else. Microsoft get screwed over enough as it is.

This, but for me the problem isn't Microsoft getting screwed. It's the end user getting their system compromised and the negative effects that could come with that. As far as I am concerned these people are hacking purely for profit and while this is OK in a preventative sense, they are just black hat hackers if they sell elsewhere.

Originally Posted by mclean007There are so many grammatical and spelling errors in this I can't even work out what you're trying to say. Please make at least a token effort to be clear in your posts. What I *think* you're saying is...

Wowz! D condesention from ur side of d internets nearly blewed up my computer on to tiny peaces! If ur dat sensative to grammer u shudn't prolly shudnt be on d webs.

Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.